The GDPR (General Data Protection Regulation) requires organisations to conduct a DPIA (data protection impact assessment) whenever processing is ‘likely to result in a high risk’ to the rights and freedoms of individuals.
The Regulation doesn’t define what ‘high risk’ is, so this blog provides examples of processing activities that require a DPIA.
What does ‘high risk’ mean?
Before we crack on with our examples, we should explain how you can identify high-risk data processing activities.
Or, to be more specific, identifying potentially high-risk data processing activities, because you won’t know for sure until you’ve completed a DPIA.
You’re therefore performing a broad analysis, looking for types of processing that might endanger data subjects’ rights and freedoms. You can do this by breaking risk into its two component parts:
- Probability: the likelihood that the data processing will result in a data breach or privacy violation.
- Damage: the effects on the individual if a data breach or privacy violation occurs.
Where you set the threshold at which risk becomes ‘high’ is up to you, but the GDPR includes three types of data processing that always meet these criteria.
Systematic and extensive profiling with significant effects
Systematic processing includes activities that are used to observe, monitor or control data subjects.
For example, organisations might monitor an employee’s browsing habits to make sure they aren’t using the Internet for illicit purposes. Likewise, a retailer might use personal data collected about an individual to provide targeted ads.
Not every instance of systematic processing requires a DPIA. Note that the processing must also be extensive (continual monitoring as opposed to occasional checks) and have significant effects (the data reveals something sensitive about the individual).
You can define ‘sensitive’ by assessing the damage – be it financial, reputational or emotional – that could be caused if the personal data was accessed by an unauthorised party.
Large-scale use of sensitive information
‘Large-scale’ refers to:
- A significant number of data subjects;
- A high volume of personal data; or
- Storing data for a substantial length of time.
Meanwhile, sensitive information refers to special categories of data or personal data relating to criminal convictions and offenses.
Large-scale public monitoring
This includes any personal data processing that occurs in a publicly accessible space. The most prominent example of this is CCTV, but organisations will need to be increasingly concerned about dashcam footage and smart technology.
Likewise, the development of ‘smart cities’ will see a surge in public monitoring that will be subject to DPIAs.
In addition to these types of data processing, the ICO (Information Commissioner’s Office) states that organisations must conduct a DPIA when:
Implementing new technology
This includes any processing that involves innovative use of technologies or the application of modern technology to existing processes.
Examples of this include:
- Artificial intelligence and machine learning;
- Self-driving cars;
- Intelligent transport systems; and
- Smart technology.
Assessing denial of service
Organisations often use automated decision-making to decide whether an individual should be given access to a product or service.
They must conduct a DPIA if that process involves sensitive data. This is often the case when financial data is involved, such as in credit checks and mortgage applications.
Conducting large-scale processing
According to the ICO, all large-scale data processing – not just activities involving sensitive information – should be subject to a DPIA.
Processing biometric or genetic data
Biometric data is usually used to authenticate that someone has appropriate access rights. Face and iris recognition and fingerprint scans are the most common examples.
Physical tests, like heartbeat monitoring and keystroke dynamics, are also considered biometric data.
Similarly, the collection of genetic data (other than that processed by an individual GP or health professional for the provision of healthcare direct to the data subject) is subject to a DPIA.
This includes data processed to perform medical diagnoses, DNA testing or medical research.
This is any activity in which personal data from multiple sources is combined or compared. This can occur for many reasons, but fraud prevention and direct marketing are two of the most common.
Conducting invisible processing
This is the processing of personal data that wasn’t obtained directly from the data subject. The rules surrounding this are outlined in Article 14 of the GDPR.
Examples of invisible processing include:
- List brokering;
- Direct marketing;
- Online tracking by third parties;
- Online advertising;
- Data aggregation; and
- Re-use of publicly available data.
This is the monitoring of individuals’ movement or behaviour. Depending on the organisation’s aims, it might choose to track:
- Location: e.g. using IP address or GPS software.
- Habits: e.g. monitoring browsing history or interactions with Internet of Things devices.
- Lifestyle: e.g. health monitoring and fitness apps, or the frequency with which the individual uses certain products, services or devices.
- Responses: e.g. monitoring keystrokes or an individual’s eye movements when interacting with a web page.
Targeting children or vulnerable people for specific types of processing
Children and vulnerable people are given special protection under the GDPR. This includes any personal data processing targeted at them for:
- Marketing purposes;
- Other forms of automated decision-making; or
- Online services.
Processing that involves risk of physical harm
The risk related to personal data breaches usually refers to financial, reputational or emotional damages, but you must also be aware of physical risks.
For example, if the identity of a whistle-blower was exposed, that person might fear for their safety. Likewise, if child counselling records were exposed, the affected child’s home life could be made even worse.
Want help with the DPIA process?
Hopefully you’re now confident of when a DPIA is necessary, but you still need to figure out how to conduct one.
The GDPR doesn’t specify a process to follow, so this is where our DPIA Tool helps.
This essential software guides you through the six steps you must complete to ensure your assessment effectively measures the level of risk involved in data processing activities.
You don’t have to be a GDPR expert to complete a DPIA. Our tool shows you the questions you need to ask and how you can find the answers. It even provides links to the relevant sections of the Regulation, so you can check why each process is necessary.